OS X Lion Server Essentials -

Apple Pro Training Series

OS X Lion Server EssentialsArek Dreyer and Ben Greisler

Apple Pro Training Series: OS X Lion Server Essentials

Arek Dreyer and Ben Greisler

Copyright © 2012 by Peachpit Press

Published by Peachpit Press. For information on Peachpit Press books, contact:

Peachpit Press

1249 Eighth Street

Berkeley, CA 94710

(510) 524-2178

www.peachpit.com

To report errors, please send a note to [email protected].

Peachpit Press is a division of Pearson Education.

Apple Series Editor: Lisa McClain

Production Coordinator: Kim Elmore, Happenstance Type-O-Rama

Technical Editor: Andrina Kelly

Apple Reviewer: John Signa

Apple Project Manager: Judy Lawrence

Copy Editor: Jessica Grogan

Proofreader: Jessica Grogan

Compositor: Chris Gillespie, Happenstance Type-O-Rama

Indexer: Jack Lewis

Cover Illustration: Kent Oberheu

Cover Production: Chris Gillespie, Happenstance Type-O-Rama

Notice of Rights

All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic,

mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. For

information on getting permission for reprints and excerpts, contact [email protected].

Notice of Liability

The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been

taken in the preparation of the book, neither the authors nor Peachpit Press shall have any liability to any person

or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions

contained in this book or by the computer software and hardware products described in it.

Trademarks

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trade-

marks. Where those designations appear in this book, and Peachpit was aware of a trademark claim, the des-

ignations appear as requested by the owner of the trademark. All other product names and services identified

throughout this book are used in editorial fashion only and for the benefit of such companies with no intention

of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement

or other affiliation with this book.

ISBN 13: 978-0-321-77508-5 ISBN 10: 0-321-77508-2

9 8 7 6 5 4 3 2 1 Printed and bound in the United States of America

www.peachpit.com

Acknowledgments We extend a big thank you to all the people

at Apple for getting Lion and Lion Server out the door, and of course to

Steve Jobs, for inspiring us all.

Thanks to the Mac sysadmin community for always striving to better serve

your users.

Thanks to Lisa McClain for gently making sure these materials made it into

your hands, and to Jessica Grogan and Kim Elmore for working their editorial

and production magic.

Thank you, also, to the following people. Without your help, this book would

be much less than what it is: David Colville, Gordon Davisson, John DeTroye,

Andre LaBranche, Charles Edge, Matthias Fricke, Allen Hancock, Aaron Hix, Eric

Hemmeter, Jason Johnson, Adam Karneboge, Andrina Kelly, Ian Kelly, Bob Kite,

Judy Lawrence, Chad Lawson, Woody Lidstone, David Long, Tip Lovingood,

Duane Maas, Andrew MacKenzie, Jussi-Pekka Mantere, Steve Markwith, Kim

Mitchell, Nader Nafissi, Tim Perfitt, Mike Reed, Schoun Regan, Jeremy Robb,

John Signa, Chris Silvertooth, David Starr, Kevin White, Simon Wheatley, and

Josh Wisenbaker.

Arek Dreyer Thanks to my lovely wife, Heather Jagman, for her love and support.

Ben Greisler My love and appreciation to my wife, Ronit, and my children,

Galee and Noam, for supporting me through this project.

Contents at a Glance

v

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xi

Chapter 1 Installing and Configuring OS X Lion Server . . . . . . . . . . . . . . 1

Chapter 2 Authenticating and Authorizing Accounts . . . . . . . . . . . . . . . . 85

Chapter 3 Using Open Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Chapter 4 Managing Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Chapter 5 Implementing Deployment Solutions . . . . . . . . . . . . . . . . . . . 281

Chapter 6 Providing File Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Chapter 7 Managing Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Chapter 8 Using Collaborative Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

Table of Contents

vii

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xi

Chapter 1 Installing and Configuring OS X Lion Server . . . . 1Evaluating Lion Server Requirements . . . . . . . . . . . . . . . . . . . . . . 2

Installing Lion Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Configuring an Administrator Computer . . . . . . . . . . . . . . . . . 15

Initial Lion Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . 20

Using Tools for Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configuring SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

What You’ve Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 2 Authenticating and Authorizing Accounts . . . . . . 85Managing Access to Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Creating and Administering User and

Administrator Server Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Controlling Access With Server Access Control Lists (SACLs) . .116

Configuring Virtual Private Network (VPN) Service . . . . . . . 137

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

What You’ve Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Chapter 3 Using Open Directory . . . . . . . . . . . . . . . . . . . . . . 153Introducing Directory Services Concepts . . . . . . . . . . . . . . . . . 154

What Is Open Directory? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Overview of Open Directory Service Components . . . . . . . . . 155

viii Contents

Preparing to Configure Open Directory Services . . . . . . . . . . 159

Configuring Open Directory Services. . . . . . . . . . . . . . . . . . . . 165

Managing Network User Accounts . . . . . . . . . . . . . . . . . . . . . . 193

Configuring Authentication Methods on Lion Server . . . . . . 209

Archiving and Restoring Open Directory Data . . . . . . . . . . . . 221


Preparing DNS Records (Optional) . . . . . . . . . . . . . . . . . . . . . 236


References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Chapter 4 Managing Accounts . . . . . . . . . . . . . . . . . . . . . . . . 249Introducing Account Management . . . . . . . . . . . . . . . . . . . . . . 250

Configuring Profile Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Managing User, Group, Device, and Device Group Accounts . . 269



References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Chapter 5 Implementing Deployment Solutions . . . . . . . . . 281Deployment Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Managing Computers with NetBoot . . . . . . . . . . . . . . . . . . . . . 282

Creating NetBoot Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Specifying a Default Image and Protocol . . . . . . . . . . . . . . . . . 293

Understanding Shadow Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Configuring a NetBoot Server . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Configuring a NetBoot Client . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Configuring NetBoot Images . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Configuring NetRestore Images . . . . . . . . . . . . . . . . . . . . . . . . 303

Filtering NetBoot Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Monitoring NetBoot Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Troubleshooting NetBoot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Managing Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Troubleshooting Software Update Service . . . . . . . . . . . . . . . . 311


References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Contents ix

Chapter 6 Providing File Services . . . . . . . . . . . . . . . . . . . . . 315Addressing the Challenges of File Sharing . . . . . . . . . . . . . . . . 316

Creating Share Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Understanding POSIX Ownership, POSIX

Permissions, and ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Preparing for a Network Home Folder . . . . . . . . . . . . . . . . . . . 361

Offering Time Machine Services . . . . . . . . . . . . . . . . . . . . . . . . 366

Troubleshooting File Services . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Cleaning up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376


References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Chapter 7 Managing Web Services . . . . . . . . . . . . . . . . . . . . 383Understanding Basic Website Concepts . . . . . . . . . . . . . . . . . . 384

Managing Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Managing Website Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Securing Your Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Monitoring Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399



References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Chapter 8 Using Collaborative Services . . . . . . . . . . . . . . . . 405Utilizing Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Locating the Data Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Understanding and Managing a Wiki . . . . . . . . . . . . . . . . . . . . 406

Using the iCal Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Managing the iChat Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Understanding the Address Book Service . . . . . . . . . . . . . . . . . 439

Hosting Mail Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445


References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

Chapter Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

xi

This book is based on the same criteria used for Apple’s official training

course, Lion 201: OS X Server Essentials 10.7, which provides an in-depth

exploration of Lion Server. This book serves as a self-paced tour of the

breadth of functionality of Lion Server and the best methods for effec-

tively supporting users of Lion Server systems.

The primary goal of this book is to prepare technical coordinators and

entry-level system administrators for the tasks demanded of them by

Lion Server; you will learn how to install and configure Lion Server to

provide network-based services, such as configuration profile distribu-

tion and management, file sharing, authentication, and collaboration

services. To become truly proficient, you’ll need to learn the theory

behind the tools you will use. For example, not only will you learn how

to use the Server app—the tool for managing services and accounts—

but you will also learn about the ideas behind profile management, how

to think about access to and control of resources, and how to set up and

distribute profiles to support your environment.

Getting Started

xii Getting Started

You will learn to develop processes to help you understand and work with the complexity

of your system as it grows. Even a single Lion Server computer can grow into a very com-

plicated system, and creating documentation and charts can help you develop processes so

that additions and modifications can integrate harmoniously with your existing system.

This book assumes that you have some knowledge of OS X Lion, because Lion Server is

built on top of Lion. Therefore, basic navigation, troubleshooting, and networking are

all similar regardless of whether the operating system is Lion or Lion Server. This book

concentrates on the features that are unique to Lion Server. When working through this

book, a basic understanding and knowledge of Lion is preferred, including knowledge

of how to troubleshoot the operating system. Refer to Apple Pro Training Series: OS X

Lion Support Essentials from Peachpit Press if you need to develop a solid working

knowledge of Lion.

Unless otherwise specified, all references to Lion and Lion Server refer to version 10.7.2,

which was the most current version available at the time of writing. Due to subsequent

upgrades, some screen shots, features, and procedures may be slightly different from those

presented on these pages.

Learning MethodologyThis book is based on lectures and exercises provided to students attending Lion 201:

OS X Server Essentials 10.7, a three-day, hands-on course designed to give technical coor-

dinators and entry-level system administrators the skills, tools, and knowledge to imple-

ment and maintain a network that uses Lion Server. For consistency, this book follows the

basic structure of the course material, but you may complete it at your own pace.

The exercises contained within this book are designed to let you explore and learn the

tools necessary to manage Lion Server. They move along in a predictable fashion, starting

with the installation and setup of Lion Server and moving to more advanced topics such

as performing multiprotocol file sharing, using access control lists, and permitting Lion

Server to manage network accounts. If you already have a Lion Server set up, you can skip

ahead to some of the later exercises in the book, provided you understand the change in

IP addressing from the examples to your server and are not running your server as a pro-

duction server.

Chapter Structure xiii

This book serves as an introduction to Lion Server and is not meant to be a definitive ref-

erence. Because Lion and Lion Server contain several open source initiatives, it is impos-

sible to include all the possibilities and permutations here. First-time users of Lion Server

and users of other server operating systems who are migrating to Lion Server have the

most to gain from this book; still, others who are upgrading from previous versions of

Lion Server will also find this book a valuable resource.

Lion Server is by no means difficult to set up and configure, but how you use Lion Server

should be planned out in advance. Accordingly, this book is divided into eight chapters:

Chapter 1 covers planning, installation, and initial configuration of Lion Server. ��

It contains an introduction to the various administration tools, and has a focus

on SSL (Secure Socket Layer) certificates.

Chapters 2 and 3 define authentication and authorization, various types of access ��

control, and Open Directory and the vast functionality it can provide.

Chapter 4 covers managing accounts with the new Profile Manager service.��

Chapter 5 introduces deployment services, including NetBoot and the System ��

Image Utility.

Chapter 6 introduces the concept of sharing files, associating share points with ��

users and groups, and controlling access to files with Access Control Lists.

Chapter 7 teaches you how to use the Server app to configure how your server ��

offers web sites.

Chapter 8 focuses on setting up collaboration services such as mail, web, wiki, ��

calendaring, and instant messaging.

Chapter StructureEach chapter begins by listing the learning goals for the chapter and providing an esti-

mate of time needed to complete the chapter. The explanatory material is augmented with

hands-on exercises essential to developing your skills. If you lack the equipment necessary

to complete a given exercise, you are still encouraged to read the step-by-step instructions

and examine the screen shots to understand the procedures demonstrated.

xiv Getting Started

WArninG �� The initial exercise in this book requires you to reformat a volume

on which you will install Lion Server. All data on this volume will be erased. Once

past that point, the majority of the exercises in the book are designed to be non-

destructive if followed correctly. However, some of the exercises are disruptive; for

example, they may turn off or on certain network services. Other exercises, if per-

formed incorrectly, could result in data loss or corruption to some basic services,

possibly even erasing a disk or volume of a computer connected to the network on

which Lion Server resides. Thus, it is recommended that you run through the exer-

cises on a Lion Server computer that is not critical to your work or connected to

a production network. This is also true of the Lion computer you will use in these

exercises. Please back up all your data if you choose to use a production computer

for either the Lion Server and/or the Lion computers. Instructions are given for

restoring your services to their preset state, but reasonable caution is recommended.

Apple, Inc. and Peachpit Press are not responsible for any data loss or any damage

to equipment that occurs as a direct or indirect result of following the procedures

described in this book.

You’ll also find resources that provide ancillary information throughout the chapters.

These resources are merely for your edification, and are not essential for the coursework

or certification.

Each chapter closes with a list of relevant Apple Knowledge Base articles and recom-

mended documents related to the topic of the chapter. Lion Server documentation

(http://www.apple.com/macosx/server/resources/) and Knowledge Base articles (http://

www.apple.com/support) are free resources that contain the very latest technical informa-

tion on all of Apple’s hardware and software products. We strongly encourage you to read

the suggested documents and search the Knowledge Base for answers to any problems you

encounter.

Finally, at the end of each chapter is a short chapter review that recaps the material you’ve

learned. You can refer to various Apple resources, such as the Knowledge Base, and Lion

Server documentation, as well as the chapters themselves, to help you answer these

questions.

http://www.apple.com/macosx/server/resources/

http://www.apple.com/support

http://www.apple.com/support

Apple Certification xv

System requirementsThis book assumes a basic level of familiarity with Lion. All references to Lion and

Lion Server refer to v10.7.2, unless otherwise stated.

Here’s what you will need to complete the lessons in the book:

Two Macintosh computers, one with Lion installed and one on which you will ��

install Lion Server

An Ethernet switch to keep the two computers connected via a small private ��

local network

Two Ethernet network cables for connecting both computers to the switch��

A router (preferably an AirPort base station) to connect the small private network ��

to the Internet, so you can obtain Apple Push Notification service (APNs) certificates

for the Profile Manager service

Optionally, a wireless access point (preferably an AirPort base station) to provide ��

wireless access for iOS devices to your private network

Optionally, three additional Macintosh computers on which to install Lion Server ��

and configure as: an Open Directory replica; a member server; and a bound server

on which to import users.

Apple CertificationAfter reading this book, you may wish to take the OS X Server Essentials 10.7 Exam.

Passing both this exam and the OS X Support Essentials 10.7 Exam earns Apple Certified

Technical Coordinator 10.7 (ACTC) certification. This is the second level of Apple’s certi-

fication program for Mac professionals, which includes:

Apple Certified Support Professional 10.7 (ACSP)—Ideal for help desk personnel, ��

service technicians, technical coordinators, and others who support OS X Lion cus-

tomers over the phone or who perform Mac troubleshooting and support in schools

and businesses. This certification verifies an understanding of Lion’s core functional-

ity and an ability to configure key services, perform basic troubleshooting, and assist

end users with essential Mac capabilities. To receive this certification, you must pass

the OS X Support Essentials 10.7 Exam. This book is designed to provide you with the

knowledge and skills to pass that exam.

xvi Getting Started

Apple Certified Technical Coordinator 10.7 (ACTC)—This certification is intended ��

for Lion technical coordinators and entry-level system administrators tasked with

maintaining a modest network of computers using Lion Server. Since the ACTC certi-

fication addresses both the support of Mac clients and the core functionality and use

of Lion Server, the learning curve is correspondingly longer and more intensive than

that for the ACSP certification, which addresses solely Mac client support. This certifi-

cation requires passing both the OS X Support Essentials 10.7 Exam and OS X Server

Essentials 10.7 Exam.

nOTE �� Although all of the questions in the OS X Server Essentials 10.7 Exam are

based on material in this book, simply reading it will not adequately prepare you for

the exam. Apple recommends that before taking the exam you spend time setting up,

configuring, and troubleshooting Lion Server.

Apple hardware service technician certifications are ideal for people interested in becom-

ing Macintosh repair technicians, but also worthwhile for help desk personnel at schools

and businesses, and for Macintosh consultants and others needing an in-depth under-

standing of how Apple systems operate.

Apple Certified Macintosh Technician (ACMT)—This certification verifies the ability ��

to perform basic troubleshooting and repair of both desktop and portable Macintosh

systems, such as iMac and MacBook Pro. ACMT certification requires passing the

Apple Macintosh Service Exam and the Lion Troubleshooting Exam. To learn more

about hardware certification, visit http://training.apple.com/certification/acmt.

About the Apple Training SeriesApple Pro Training Series: OS X Lion Server Essentials is part of the official training series

for Apple products developed by experts in the field and certified by Apple. The chapters

are designed to let you learn at your own pace. You can progress through the book from

beginning to end, or dive right into the chapters that interest you most.

For those who prefer to learn in an instructor-led setting, training courses are offered

at Apple Authorized Training Centers worldwide. These courses are taught by Apple

Certified Trainers, and they balance concepts and lectures with hands-on labs and

http://training.apple.com/certification/acmt

About the Apple Training Series xvii

exercises. Apple Authorized Training Centers have been carefully selected and have met

Apple’s highest standards in all areas, including facilities, instructors, course delivery, and

infrastructure. The goal of the program is to offer Apple customers, from beginners to the

most seasoned professionals, the highest-quality training experience.

To find an Authorized Training Center near you, please visit http://training.apple.com.

http://training.apple.com

#

Image here is FPO. Arrangements for purchase and placement of image to follow.

Bleed on all sides s/b 18pts; pages in Quark s/b staggered.

Time This chapter takes approximately three hours to complete.

Goals Configure Profile Manager

Construct management profiles

Deliver profiles

Install and delete profiles

Manage users, groups of users, devices, and groups of devices using profiles

4

249

If you run an organization with several hundred users or even just a

handful, how can you make sure you can manage their experience with

OS X and iOS? In previous chapters you learned management techniques

involving the user name, password, and home folder. There are many

other aspects to user account management, and it is important to

understand how these various aspects interact with each other.

OS X Lion Server provides a service called Profile Manager that allows

you, as the administrator, to assign certain behaviors to the client

devices such as computers and mobile devices.

Managing AccountsChapter 4

250 Managing Accounts

introducing Account ManagementAccount management was controlled by Workgroup Manager in Mac OS X 10.6 and ear-

lier, but Lion introduces the concept of profiles that contain configurations and settings.

By assigning profiles to users, user groups, devices, or groups of devices you can achieve

control over your systems.

With effective account management, you can achieve a range of results, including the

following:

Providing users with a consistent, controlled interface��

Controlling settings on mobile devices and computers��

Restricting certain resources for specific groups or individuals��

Securing computer use in key areas such as administrative offices, classrooms, or ��

open labs

Customizing the user experience��

Customizing Dock settings��

Profile ManagerProfile Manager is an account management tool that allows the development and distri-

bution of configurations and settings to control the experience on Lion computers and

iOS devices. The configurations and settings are contained in XML based text files called

profiles. Profile Manager has three parts:

1 Profile Manager web tool

2 User Portal web site

3 Mobile Device Management Server

Profile Manager Web App

The web tool allows easy access to the Profile Manager functionality from any browser

that can connect to the Lion Server with the Profile Manager service turned on. An

administrator can utilize the web interface to create profiles for use on client machines. It

is also used to create and manage device accounts and device group accounts. Users and

Groups are created in the Server app, but are displayed in the Profile Manager web app.

The Profile Manager is reached at https://server.domain.com/profilemanager/.

https://server.domain.com/profilemanager/

Configuring Profile Manager 251

User Portal

The User Portal is a simple way for users to enroll devices, obtain profiles, and wipe or lock

their devices. The User Portal is accessed via a web browser and lists the user’s enrolled

devices and available profiles. It is reached at https://server.domain.com/mydevices/.

Device Management

You can configure and enable the Mobile Device Management (MDM) functionality to

allow you to create profiles for devices. When you or your users enroll Lion computers

and iOS 4 or later devices, this allows over the air (OTA) management of devices includ-

ing remote wipe and lock.

Levels of ManagementUsing Profile Manager you can apply profiles at various levels including:

Individual Users��

Groups of Users��

Devices��

Device Groups��

Not all management levels make sense for all purposes, so when setting policy you have

to decide what is appropriate. For example, you might want to define printers by device

groups, because a typical situation has a group of computers located geographically close

to a specific printer. You may want to set VPN access via a group of users such as remote

salespeople. And individuals might have specific application access rights granted to them.

Each level can have a default group of settings and then custom settings. Mixing and lay-

ering profiles with conflicting settings is not recommended.

Configuring Profile ManagerTo allow assigning profiles, the Profile Manager service must be enabled. Using profiles is

significantly different than managing clients in earlier versions of OS X Server. Note that

the older method of using Workgroup Manager is still valid in Lion Server, but this book

doesn’t approach it. For information on OS X Managed Client , see Chapter 9, “Managing

Accounts,” in the book Apple Training Series: Mac OS X Server Essentials v10.6.

https://server.domain.com/mydevices/


TerminologyIn the context of device management, a Profile is basically a collection of settings.

Configuration profiles define settings such as Wi-Fi settings, email accounts, calendar

accounts, and security policies. Enrollment profiles allow the server to manage your

device. A payload is what’s inside a profile.

Preparations for Profile ManagerPrior to configuring Profile Manager, you’ll need to set up a few items to make the process

more streamlined.

Configure your server to manage network users and groups. This is also referred to as ��

creating an Open Directory Master.

Obtain and install an SSL certificate. It is recommended to use one signed by a ��

trusted certificate authority. You could use the certificate that was automatically gen-

erated when you configured your server to manage network accounts, but you first

need to configure devices to trust that certificate. If you instead use your self-signed

certificate, you won’t be able to enroll iOS devices.

Obtain an Apple ID for use when you request a push certificate from Apple through ��

the http://appleid.apple.com website. Prior to using this ID, make sure you log in at that

site under “Manage My Account” and verify the address. Otherwise, it is possible that

you won’t have success requesting the push certificate.

http://appleid.apple.com


Enabling Profile Manager In this section, you’ll go through the steps to enable Profile Manager including the signing

of a configuration profile.

1 Open Server app and select Profile Manager in the Server app sidebar.

2 Click Configure, next to Device Management.


3 The service will gather some data and give a description of its capabilities. Click Next.

4 Choose your certificate. If you use your self-signed certificate, you will not be able to

enroll any iOS devices.

5 Request an Apple Push Notification certificate using an Apple ID. If you do not have

one, there’s a link to obtain one under the credential fields. Make sure to verify the

address at the http://appleid.apple.com site. Click Next.

http://appleid.apple.com


6 A green circle will indicate that you succeeded. Click Finish.

7 Select the checkbox labeled “Sign configuration profiles,” then choose the Code

Signing certificate that was created when you created your network accounts.

By signing the profiles with a certificate, you provide a way to validate that the profiles

came from where they are supposed to be from.


8 If you don’t have any services running, use this time to configure and activate a few

services, then click the On/Off switch to turn on Profile Manager.

User Profile PortalThe User Profile Portal provides simple access for users to log in, apply profiles, and

manage their devices. The portal is accessed via a web browser; by simply publishing the

website, users anywhere in the world can enroll their devices–whether they be computers,

iPhones or other iOS based mobile devices. It is through the portal that a user can lock or

wipe their enrolled devices.

nOTE �� The example below is for OS X, but the iOS version is conceptually and visu-

ally similar.

1 Navigate to the site https://server17.pretendco.com/mydevices.

2 Through a series of redirects the user will be prompted for her credentials to log in.

3 The user is given tabs for Devices and Profiles. Devices is where the user can enroll

the device. Profiles is where the various profiles made available to her will be dis-

played.

https://server17.pretendco.com/mydevices


4 Click the Install Trust Profile. The profile will be downloaded, and the Profiles prefer-

ences will appear.

5 Click the Show Profile button to view the contents of the profile, then click Continue.


6 In the next window click Show Details to view more information regarding the cer-

tificates involved, and then click Install. Enter an administrator’s credentials when

prompted.


7 Navigate to the Devices tab and click Enroll. You will be brought back to the Profile

preferences and asked if you want to enroll. View the profile and then click Install.


8 In the next screen, you will be asked to install Remote Management which allows the

server to manage that machine. View the profile and click Continue. Enter an admin-

istrator’s credentials when prompted.


9 Now that the profile has been installed on the computer, refresh the view in the

browser and notice that the computer is now listed under the Devices tab with

choices to Lock or Wipe the computer. This allows the user to utilize any modern

web browser to control those aspects of the computer remotely, if the machine were

to get lost or stolen.


10 To lock the remote device, navigate to the site https://server17.pretendco.com/mydevices

on a different computer and log in. Choose your test computer and lock it by click-

ing the Lock button and entering a 6 digit passcode. Click the Lock button again, and

a confirmation box will appear. Once the confirmation has been given, the remote

computer will reboot and then offer a dialog to unlock the machine via the passcode.

Managing Profiles LocallyOccasionally a profile will need to be viewed, added, or removed to make way for an

updated profile or to simply stop management of the device. Managing the profiles local

to a computer is done via the Profiles preference pane located in System Preferences. You

added a profile to the computer in the previous exercise and now you will remove one.

To remove a profile local to an OS X computer:

1 Open the Profiles preference pane in System Preferences. The various profiles installed

on the computer are listed along with their contents and purposes.

2 Pick the profile you wish to remove such as the remote management profile and click

the Remove (-) button.

https://server17.pretendco.com/mydevices


3 A confirmation dialog box will appear. Click Remove. Enter a local administrator’s

credentials, if prompted, and click OK.

To remove a profile local to an iOS device:

1 Navigate to Settings/General/Profiles.

2 Tap the profile to show the details.

3 Tap the Remove button.

4 Confirm the removal by tapping the Remove button on the confirmation box.

5 Exit Settings.

Using Profile Manager Once Profile Manager has been turned on, you access the actual management interface via

a web application. The web application can be reached via web browser on any machine.

1 Navigate to the site https://server17.pretendco.com/profilemanager.

https://server17.pretendco.com/profilemanager


2 Log in to the Profile Manager web app with an administrator’s credentials.

3 The layout is a column view where the selection made in the left column defines the

content of the column to the right. Click on Devices under the Library and click an

enrolled computer.

4 In the computers information pane, click Profile and then click Edit under Settings.


5 In the new window that opens, scroll down the list to the Mac OS X section, noting

that there are sections for iOS and combined iOS and Mac OS X. Click Dock and

then click Configure.

6 Change the settings to place the Dock on the Left and to automatically hide and show

the Dock.


7 Scroll back to the top of the list in the left column and choose General. Under Profile

Distribution Type select Manual Download. Click OK.

8 Note that the Dock preference is indicated in the settings for the computer. Click Save.

9 A warning that new settings might be pushed to the managed devices is presented.

Click Save.


10 Under the Settings for the computer, click the Download button. A copy of the

preferences is stored in the profile that has been downloaded to the machine Profile

Manager is running on. Open the profile in TextEdit.app and view the contents. The

profile is simply an XML text file.

11 Copy the file to your client computer and double-click on it to install. Choose Show

Profile to view the contents of the profile.

12 Click Install and enter the local administrators password.

13 Log out and log back in. Notice the Dock is now hidden on the left side.

14 Open the Profiles preference pane in System Preferences. View the new profile.

Remove the profile by clicking the Remove (-) button at the bottom of the left

column. Acknowledge the removal and enter a local administrator’s credentials.

Upon logging out and back in, the original Dock location and behavior will be

restored.


Delivering Profiles Once created, profiles can be delivered to users and computers or iOS devices in a number

of ways:

Via the User Portal where users log in to the portal with their account credentials and ��

they are presented with the profiles assigned to them.

Managing User, Group, Device, and Device Group Accounts 269

Emailed to users. The profile is a simple text file, so it is easily transported.��

Web link. The profile can be published on a website for users to visit and download.��

Automatic Push. The profile gets automatically pushed to the device with no user ��

interaction (the device must be enrolled for this to work).

remotely Locking or Wiping a Device Once enrolled, a device or group of devices can be remotely locked or wiped. In this

example, a remote lock will be performed. A remote wipe can be attempted, but only do

it on a device you don’t mind reconfiguring. The device can be locked via Profile Manager

by an administrator or via the User Portal by the users themselves.

Upon requesting a lock, a confirmation pane will appear, a passcode will be requested,

and the lock command will be sent. On Lion computers, the machine is shut down and an

EFI passcode is set, so it needs to be entered to use the machine again. For iOS devices, the

screen is locked and the passcode enforced.

Profile Manager: Log into Profile Manager and select the device or group of devices to ��

be locked. In the Action (gear) menu at the bottom of the right pane choose Lock.

User Portal: Once users log in, each device they enrolled will be displayed in the ��

Devices.

Managing User, Group, Device, and Device Group AccountsYou can create settings for four different types of accounts:

User—Usually relates to a specific person. This is the account that the person identi-��

fies himself or herself with when logging in to the machine. A user’s short name or

UID number uniquely identifies the user on a system.

Group—Represents a group of users, a group of groups, or a mixture of both.��

Device—Similar to a user account, it’s the singular entity that represents a given piece ��

of hardware. Device accounts are uniquely identified by their Ethernet ID, serial num-

ber, IMEI, or MEID.

Device Group—Represents a group of computers or iOS devices, a group of device ��

groups, or a mixture of both.


Which Preferences Can Be Managed?In addition to various other settings for user, group, devices, and device group accounts,

Profile Manager provides control over the preferences listed in Table 4.1. Table 4.2

describes the manageable preferences payloads for devices and device groups.

Table 4.1 Manageable Preferences Payloads for Users and Groups

Preference OS X iOS Description

General • • Profiledistributiontype,howtheprofilecanbe removed, organization, and description

Passcode • • Definepasscoderequirementssuchaslength, complexity, reuse, etc.

Email • • Configureemailsettingssuchasservers,account name, etc.

Exchange • • ConfigureExchangeActiveSyncsettings

LDAP • • ConfigureconnectiontoLDAPserver

CardDAV • • ConfigureaccesstoCardDAVserver

CalDAV • • ConfigureaccesstoCalDAVserver

Network • • Configurenetworksettingonthedevice,including wireless and wired

VPN • • ConfigureVPNsettings:L2TP,PPTP,IPSec(Cisco), CiscoAnyConnect, Juniper SSL, and F5 SSL

Certificate • • AllowstheinstallationofPKCS1andPKCS12 certificates

SCEP • • DefineconnectiontoSimpleCertificateEnrollment Protocol (SCEP) server

WebClips • • DisplaydefinedWebClipsasapplicationicons


Table 4.1 (continued)


Restrictions • • Defineapplicationandcontentrestrictions

(separate OS X and iOS versions)

Subscribed • ConfigurecalendarsubscriptionsCalendars

APN • Configurecarriersettingssuchasthe

Access Point Name (Advanced use only)

iChat • ConfigureconnectiontoJabberorAIMchat

servers

LoginItems • Specifyapplications,itemsandnetwork

mounts to launch at login

Mobility • DefinemobilitysettingsforOSXclients

to allow cached credentials and portable

home directories

Dock • ConfigureDockbehavior

Printing • Configureprintingsettingsandaccessto

printersorprintqueues

ParentalControls • DefinesettingsforParentalControlssuch

as content filtering and time limits

SecurityandPrivacy • Definewhetherornottosenddiagnostic

and usage data to Apple (might change in

the future)

CustomSettings • Applycustompreferencesforitemsnot

defined in other payloads. Similar to apply-

ing preference manifests in WGM


Table 4.2 Manageable Preferences Payloads for Devices and Device Groups


General • • Profiledistributiontype,howtheprofilecanbe removed, organization, and description

Passcode • • Definepasscoderequirementssuchaslength, complexity, reuse, etc.

Email • Configureemailsettingssuchasservers,

account name, etc.

Exchange • ConfigureExchangeActiveSyncsettings

LDAP • ConfigureconnectiontoLDAPserver

CardDAV • ConfigureaccesstoCardDAVserver

CalDAV • ConfigureaccesstoCalDAVserver

Network • • Configurenetworksettingonthedevice

including wireless and wired

VPN • • ConfigureVPNsettings:L2TP,PPTP,IPSec

(Cisco), CiscoAnyConnect, Juniper SSL,

and F5 SSL

Certificate • • AllowstheinstallationofPKCS1andPKCS12

certificates

SCEP • • DefineconnectiontoSimpleCertificate

Enrollment Protocol (SCEP) server

WebClips • DisplaydefinedWebClipsasapplication

icons

Restrictions • • Defineapplicationandcontentrestrictions

(separate OS X and iOS versions)

SubscribedCalendars • Configurecalendarsubscriptions

APN • ConfigurecarriersettingssuchastheAccess

Point Name (Advanced use only)

LoginItems • Specifyapplications,items,andnetworkmounts to launch at login


Table 4.2 (continued)


Mobility • DefinemobilitysettingsforOSXclientstoallow cached credentials and portable home directories

Dock • ConfigureDockbehavior

Printing • Configureprintingsettingsandaccesstoprintersorprintqueues

ParentalControls • DefinesettingsforParentalControlssuchascontent filtering and time limits

SecurityandPrivacy • Definewhetherornottosenddiagnosticandusage data to Apple (might change in the future)

CustomSettings • Applycustompreferencesforitemsnotdefined in other payloads (similar to applying preference manifests in WGM)

Directory * Configure binding to directory services

Login Window * Configure Login Window options, such as messages, appearance, access, and Login/LogoutHooks

SoftwareUpdate • DefineanAppleSoftwareUpdateServertobeused by the computer

EnergySaver • DefineEnergySaverpolicysuchassleeping,timed actions and, wake settings

Managing Preferences for Users in a GroupAlthough you can set up preferences individually for users with network accounts, it’s

more efficient to manage preferences for the groups to which they belong. Using groups

allows you to manage users regardless of which devices they use.


Managing Device Group AccountsA device group account is set up for a group of computers or iOS devices that have the

same preference settings and are available to the same set of users and groups. You create

and modify these device groups in Profile Manager.

When you set up a device group, make sure you have already determined how the devices

are identified. Use descriptions that are logical and easy to remember (for instance, the

description might be the computer name). This also makes it easier to find the devices to

add them to the correct device group.

Creating a Device AccountThere are two ways to set up a device account:

During device enrollment the device account is created automatically.��

You can create a placeholder in Profile Manager, so when the user logs into the User ��

Portal, predefined profiles are assigned to the device.

To manually create a placeholder in Profile Manager:

1 Click Devices in the Profile Manager Library.

2 Click the Add (+) button below the list of devices, and select Add Placeholder.

3 Give the placeholder a name and choose how to identify the device by Ethernet ID,

serial number, IMEI, or MEID.

4 Click the Add button.


5 From the placeholder entry, you can add profiles and management that will be

applied automatically once the device is enrolled.

To import a list of placeholders in Profile Manager:

Lists of devices can be imported into Profile Manager via a comma separated value (CSV)

file. The file needs to be structured as this:

name, serial number, UDID, IMEI, MEID

Leave a field empty if you’re not using that value.

1 Click Devices in the Profile Manager Library.

2 Click the Add (+) button below the list of devices, and select Import Placeholders.

3 Choose the import file and upload.

Creating and Populating a Device GroupTo create and populate a Device Group, Profile Manager is utilized:

1 Click Device Groups in the Profile Manager Library.


2 Click the Add (+) button below the list of device groups. This creates a new group

that can be populated with the desired name.

3 To add devices to the device group, click the Add (+) button under the device

group pane.

4 Click the device to add to the device group and then click Done.

Troubleshooting 277

5 To add device groups to the device group, click the Add (+) button under the device

group pane.

6 Click the device group to add to the device group and then click Done.

7 Click Save.

TroubleshootingOccasionally things won’t work the way you expect, and you’ll have to troubleshoot the

situation. Even a robust service like Profile Manager can have an occasional issue.

Viewing LogsThe profilemanager.log is located at /Library/Server/ProfileManager/Logs and can be

viewed with Console by double clicking. Errors may be reported and listed in the logs.

Viewing ProfilesIf a device is not behaving as expected, look at the list of installed profiles on the device

and see if the proper profiles have been installed. The solution may be as simple as apply-

ing the expected profile to the device.

installing ProfilesIf you’re having problems installing a profile, you may have improper certificates. Review

your SSL certificates for validity and make sure the trust profile has been installed on the

device.


Problems Enrolling a DeviceA trust profile must be installed prior to enrolling a device, unless you are using a certifi-

cate signed by a trusted certificate authority.

What You’ve LearnedAccount management encompasses fine-tuning the user experience by managing ��

preferences and settings for users, groups, devices, and device groups.

Profile Manager is the new management tool in Lion Server. It provides profile-based ��

management of users, groups, devices, and device groups—from anywhere on your

network or even across the Internet.

A device group is a list of devices that have the same preference settings and are avail-��

able to the same users and groups. You can create and modify device groups in Profile

Manager web app.

Preferences can be set for many built-in OS X options for users, workgroups, devices, ��

or device groups. Other preferences can be managed if provided in a .plist format and

applied via the Custom Settings profile payload.

referencesThe following documents provide more information about managing accounts on Lion

Server. All these and more are available at http://www.apple.com/macosx/server/resources/

documentation.html.

Administration GuidesLion Server: Advanced Administration

https://help.apple.com/advancedserveradmin/mac/10.7/

Profile Manager Help

https://help.apple.com/profilemanager

Apple Knowledge Base DocumentsYou can check for new and updated Knowledge Base documents at http://www.apple.com/

support/.

http://www.apple.com/macosx/server/resources/documentation.html

http://www.apple.com/macosx/server/resources/documentation.html

https://help.apple.com/advancedserveradmin/mac/10.7/

https://help.apple.com/profilemanager

http://www.apple.com/support/

http://www.apple.com/support/

Chapter Review 279

Chapter review1. What tool is used to create profiles?

2. Name at least three ways a profile can be delivered.

3. Why should a configuration profile be signed?

4. How is a profile removed from an OS X computer? From an iOS device?

5. What is a configuration profile? An enrollment profile?

6. What steps are involved with turning on the Profile Manager service?

7. What steps are involved with specifying that you want to sign your configuration

profiles?

8. What three components comprise Profile Manager?

Answers

1. The Profile Manager web app is used to create profiles.

2. User portal, email, web page, manual delivery, or push to enrolled devices via the

mobile device management capabilities of Profile Manager enable profile delivery.

3. A configuration profile should be signed to validate the contents of the profile.

4. In OS X 10.7 Lion, the profiles are managed in the Profiles preference pane within

System Preferences. On an iOS device, navigate to Settings/General/Profiles to view

and remove installed profiles.

5. A configuration profile contains settings and preferences to manage the user experi-

ence in a controlled device. An enrollment profile allows the device that it’s installed

on to be remotely controlled, performing such tasks as remote wipe and lock, and

installation of other configuration profiles.

6. You can just click the On/Off switch in the Server app Profile Manager pane to turn

on the Profile Manager service, but to enable device management (also known as

Mobile Device Management), click Configure next to “Device Management,” select

a valid SSL certificate, and specify a verified Apple ID to obtain an Apple Push

Notification Service certificate.

7. In the Server app Profile Manager pane, select the checkbox labeled “Sign configura-

tion profiles,” then choose a valid code signing certificate. Then when you create pro-

files with the Profile Manager web app, they are automatically signed.

8. The Profile Manager includes the Profile Manager web app, the user portal, and the

optional device management (Mobile Device Management) service.

461

AAbout This Mac, 3–4access. See also authentication; authorization

ACLs controlling. See ACLs (access control lists)Apache log for, 399–400concurrent, 374Edit Access to Services for, 122to file sharing services, 332–333in folder hierarchies, 350–353guest. See guest accessin iCal, 422–428by local user accounts, 93–95monitor only, 131–133in NetBoot, 303to Open Directory log files, 233–234SACLs for. See SACLs (service access control lists)Service Access window for, 196, 201–202to services, 86–88for Time Machine, 367of users, 86–87to websites, 393–396

access control entries. See ACEs (access control entries)

access control lists. See ACLs (access control lists)Access pane, 329–331account management. See Profile ManagerAccount Name, 90, 92ACEs (access control entries)

adding to ACLs, 339–341complex permissions for, 339, 341–342creating, 338defined, 337in file-system ACLs, 347in folder hierarchies, 349, 357–361information in, 347inheriting, 343–345in Open Directory masters, 160POSIX and, 348precedence and, 348propagating permissions and, 345

ACLs (access control lists). See also file-system ACLs (access control lists); SACLs (service access control lists)complex permissions in, 341–342File Sharing pane for, 337–339generally, 336globally unique IDs in, 337group IDs in, 336group membership in, 346inheritance in, 343–345multiple groups in, 346nested groups in, 346optional, 333–334permissions and, 334–335portability of, 345POSIX permissions vs., 347propagating permissions in, 345share points and, 320, 329Storage pane for, 339–341user IDs in, 336

Active Directory, 158, 417Add User Account, 301Address Book

access to monitor only, 133configuring OS X to use, 440–444configuring with Server app, 439–440generally, 439iChat and, 443–444importing network user accounts, 208location of data stores in, 406in Open Directory masters, 170–171troubleshooting, 445

administration privilegesaccounts with. See administrator accountscleaning up, on servers, 133–136complex permissions for, 341–342computers with. See administrator computersconfirming, generally, 131File Sharing and, 137giving to local user accounts, 95–96

Index

462 Index

limiting, generally, 128for local user accounts, 96–97, 129–130monitoring services, 130removing from local user accounts, 97–98removing unused services, 136–137for specific services, 131–133

administrator accountsAdministrator Account pane, 25–27Administrators group, 329configuring, 92–93creating, 88password policies and, 216

administrator computersconfiguring for exercises, 16–20configuring local user accounts on, 93configuring SACLs on, 117–119for Lion Server, 15

AFP (Apple Filing Protocol)authentication and, 87case-sensitivity in, 375defined, 316–318encryption in, 138guest access for, 328inspecting logs in, 375–376inspecting SACLs in, 125–128Mac clients using, 318network home folders in, 362–363POSIX in, 336SACLs in, 117–118, 125–128setting up, 118–119for share points, 320–321, 323testing, 119–121viewing Error log with Console in, 322–323

Airport devices, 16Airport Management pane, 37alerts, 41, 54–55Aliases, 92All, 392Allow or Deny, 347–348anonymous binding, 184“Any other logged in user,” 413Apache

access to files in, 392configuration files in, 384introduction to, 383location of modules in, 384viewing log files in, 399–402

AppleAirport devices by, 16filing protocol. See AFP (Apple Filing Protocol)Open Directory by. See Open Directory

Partition Map by, 6ports used by software of, 138Push Notification certificates, 254Remote Desktop, 281, 289software updates from, 55System Restore, 281, 303

Apple IDsApple Push Notification certificates and, 254configuring pane for, 24–25IDs. See Apple IDsProfile Manager and, 252“Using an Apple ID,” 120

Apple Pro Training Series: OS X Lion Support Essentialson authentication, 88on DNS, 163on file system permissions, 334on Recovery HD, 8on volume formats, 6

Apple Training Series: Mac OS X Server Essentials v10.6, 251

Apply System Configuration Settings, 301archives

disk images for, 222–225in iChat, 432Kerberos KDC for, 222in LDAP databases, 222in Open Directory generally, 221–222in Open Directory masters, 222–224in Password Server, 222

ARD (Apple Remote Desktop), 281, 289ASR (Apple System Restore), 281, 303audio conferences. See iChatauthenticated binding, 184–185authentication. See also authorization

as administrator, 88databases in, 156encryption in, 138in file sharing services, 316generally, 85–86handshake protocol for, 209introduction to, 86–88in Kerberos, generally, 219in Kerberos, troubleshooting, 235of local users, 130methods for. See configuration,

authentication methodsof multiple user accounts, 154–155of network user accounts, 198–199in new websites, 394–395in Open Directory, 235passwords for. See passwords

Index 463

references on, 149of remote servers, 189review questions on, 150–151summary of, 148–149

authorization. See also authenticationcleaning up, 133–136in file sharing services, 316introduction to, 85–86in new websites, 395references on, 149review questions on, 150–151SACLs for. See SACLs (service access control lists)summary of, 148–149using, 86–88

Automated Installation, 288Automater workflow items, 287–288automatic push for profiles, 269Automator Library, 301automountable share points, 362

Bbackups, 289, 370–371badges, 316bandwidth, 309binding to Open Directory

anonymously, 184benefits of, 156defined, 154Lion, 192–193multiple servers, 158network user accounts, 202Users & Groups for, 182

blacklists, 455–456blogs, 407, 415Bonjour

address of, 384introduction to, 34Server Admin and, 46

boot codes, 299boot image files, 288boot ROM (real-only) memory files, 285–286boot volumes, 7, 406booting computers. See also NetBoot, 282, 290bootpd, 307buddies, 433–434, 444

CCalDAV support, 417, 428Calendar Server Extensions, 416calendar service. See iCal

Caps Lock key, 224CardDAV

for Address Book, 439, 441for iChat, 444

CAs (Certificate Authorities)Certificate Signing Requests for, 68–70default certificates and, 63importing signed certificates and, 70in Open Directory masters, 160, 172–173for profiles, 278in restoring Open Directory data, 229for SSL certificates, 59–61, 72–76using another server and, 182

case-sensitivity, 6, 374–375CD-ROMs, 282Certificate Authorities. See CAs (Certificate Authorities)Certificate Signing Requests (CSRs), 68–70certificates

authorizing. See CAs (Certificate Authorities)importing signed, 70–71root, 258self-signed, 39–40, 63–68Signing Requests for, 68–70SSL. See SSL (Secure Sockets Layer) certificatesverifying trusted, 40, 72–76viewing default, 61–63

Challenge Handshake Authentication Protocol, 209child files, 343child folders, 343ClamAV virus scans, 454classrooms, 283cleaning up file services, 376–377cleaning up servers, 133–136client computers

binding to Open Directory, 192Client Computer ID window, 184in NetBoot. See clients in NetBoot

client devices, 249clients in NetBoot

configuring, 299–300filtering, 303–305monitoring, 305–307

Code Signing certificates, 255collaborative services. See also web services

Address Book, 439–445administrative tools for, 406data stores for, locating, 406iCal, accessing as user, 422–428iCal, adding resources and locations, 420–422iCal, configuring and starting, 417–420iCal, generally, 416–417

464 Index

iCal, troubleshooting, 429iChat, archiving, 432iChat, configuring users, 433–434iChat, federation in, 435–436iChat, managing generally, 429–431iChat, restricting users, 435iChat, setting up, 431iChat, troubleshooting, 438iChat, viewing service logs, 437–438introduction to, 405mail, blacklists for incoming, 455–456mail, configuring DNS for, 448mail, enabling for users, 450mail, enabling web, 451–453mail, junk filtering for incoming, 455–456mail quotas, enabling for users, 453–454mail, relaying outgoing, 449–450mail services, enabling, 448–449mail services, generally, 445–447mail services, troubleshooting, 457mail, virus scanning incoming, 454–455references on, 458review questions on, 458–459summary of, 457Wiki service, troubleshooting, 416wikis, creating, 410–415wikis, enabling, 407–410wikis, managing generally, 406–407

complex permissions, 341–342computational clusters, 284computer labs, 283Computer Name, 34–35concurrent access, 374configuration

of Administrator Account pane, 25–27of administrator accounts, generally, 92–93of Apple ID pane, 24–25of authentication methods. See configuration,

authentication methodsof computers for Software Update, 311of Lion Server. See configuration, Lion Serverof local user accounts. See local usersof NetBoot. See configuration, NetBootof Open Directory, 159–165of Profile Manager. See configuration,

Profile Managerof SACLs, 117–118of user accounts, 89–92

configuration, authentication methodsdisabling user accounts, 210generally, 209

global password policies, 215–219Kerberos, 219–221per-user password policies, 211–213Server Admin in, 218–219single sign-ons, 219–221single user accounts, 213–214testing user account policies, 214–215user account password policies, 211–215user accounts, 209–210

configuration, Lion Serveradministrator computers, 15–20Airport Management pane, 37Computer Name, 34–35Connecting to Your Mac pane, 31–36data storage on volumes, 58–59generally, 1, 15, 20Host Name pane, 30–31, 35–36initially, 20introduction to, 1Keyboard pane, 23License Agreement pane, 25Multiple Networks Detected pane, 28Network Address pane, 32–34Organization pane, 28–29Region pane, 23Registration Information pane, 25remotely, 20–23Review pane, 38with Server Admin, 45–47Server pane, 24test networks for exercises in, 15–16Thank You pane, 38–39Time Zone pane, 29–30Xsan pane, 27

Configuration Log, 233–234configuration, NetBoot

clients, 299–300images, 297–298, 300–302NetRestore images, 303servers, 296–298

configuration, Profile Managerdelivering profiles, 268–269enabling Profile Manager by, 253–256generally, 251, 263–268managing profiles locally, 262–263preparation for, 252remotely locking or wiping devices, 269terminology for, 252User Profile Portal, 256–262

Configuration Profiles, 252–256, 287

Index 465

confirmation of administrative capacitiesto administer services, 131to monitor services only, 130for specific services only, 131–133

“Connect as Guest,” 120Connected Users, 321–322Connecting to Your Mac pane, 31–36connection to Lion Server, 39–43Console

importing users with, 146–147inspecting logs with, 375–376logs in, generally, 76–78viewing AFP Error log with, 322–323, 402

corporate workstations, 283CPU usage

Server Admin monitoring, 46–48, 130, 321Server app monitoring, 42–43Server Status Dashboard Widget for, 56–57

Create Image, 301–302credentials, defined, 85crypt passwords, 209–210CSRs (Certificate Signing Requests), 68–70

DDashboard Widget, 56–58dashes, 212data

archiving. See archivesrestoring Open Directory, 221, 226–232stores for collaborative services, 406storing on volumes, 58–59

default websites, 386Define Image Source, 301delegates, 421–422delimited text files, 116Demo iPad account, 422–428Deny, or Allow, 347–348deployment solutions. See NetBootdescendants, 343destinations, 367–373device accounts

creating, 274–275for groups, 269, 274, 275–277introduction to, 269

Device Management, 253devices

accounts for. See device accountsAirport, 16client, 249enrolling in Profile Manager, 249–250, 278iOS, 249–250, 254, 256

locking, 262, 269mobile, 249–251over the air management of, 251in Profile Manager web app, 264remote, 262User Profile Portal for, 256

Devices and Profiles, 256–261DHCP (Dynamic Host Configuration Protocol)

as Lion Server service, 51NetBoot IP addresses from servers on, 285–286ranges in, 16VPN connections and, 139

directory nodes, 198directory services. See Open DirectoryDirectory Utility

binding to Open Directory vs., 162in configuring servers remotely, 188–192troubleshooting Open Directory with, 235

disable user accounts, 210disable websites, 384–385disk images. See also NetBoot

for archiving data, 222–225encrypted, 225on HTTP, 293–294in NetBoot startup, 285network, 299on NFS, 293–294for restoring Open Directory data, 231–232sparse, 225, 231–232System Image Utility for, 290

disk partition support, 288Disk space, 41–43Disk Utility

for booting computers, 290case-sensitive formatting with, 374First Aid tab in, 78for installing Lion Server, 6

Diskless checkbox, 295Distribution Type, 266DNS (Domain Name System)

Address Book and, 445administrator computers for, 17–19availability of records in, 163–165binding to other servers, 183in configuring Open Directory replicas, 179for email, 448, 457forward records in, 10–11host names and, 8–9iCal and, 428–429iChat and, 438in Kerberos, 235

466 Index

Lion Server service for, 51in NetBoot, 303for network user accounts, 202for new websites, 396Open Directory replicas and, 174–175Open Directory services and, 159preparing to configure records in, 236–243in restoring Open Directory data, 226–227, 229reverse records in, 10–11in Server Admin, 136–137in Server Assistant, 50supporting multiple servers, 236–243for websites, 391for wikis, 416

Dockhiding graphs, 47Launchpad in, 10, 21, 44–45, 371in Profile Manager web app, 265–267Trash in, 372

Document Root Contents, 392Domain Name, 386–389Domain Name System (DNS). See DNS (Domain

Name System)Dovecot, 445DVD-ROMs, 282Dynamic Host Configuration Protocol (DHCP). See

DHCP (Dynamic Host Configuration Protocol)

Eediting

access to file sharing services, 122images, 304SACLs, 332–333text. See TextEdit

efficiency, 281EFI (Extensible Firmware Interface), 269, 299email. See also mail services

in Address Book, 443alerts, 41, 54–55blacklists for incoming, 455–456configuring DNS for, 448delivering profiles via, 269enabling for users, 450enabling web, 451–453in iCal, 417–420, 423junk filtering for incoming, 455–456location of data stores in, 406relaying outgoing, 449–450virus scanning incoming, 454–455

emergency boot disks, 284Empty Trash, 372

empty volumes, 14–15encrypted sparse disk images, 222, 225encryption

in AFP, 138in authentication, 138of firevault full disks, 8for iChat, 436in VPNs, 137–138

Energy Saver preferences, 3Error log in Apache, 399–400error logs in AFP, 322–323Ethernet

IDs, 269, 274–275MAC addresses for, 5NetBoot requirements for, 284ports, 2

Everyone, 392Everyone Else, 329–331expired passwords, 216exporting settings, 52–53exporting users

Software Update for, 308–311with Workgroup Manager, 102–104, 107–108

extensible directory-services architecture, 154Extensible Firmware Interface (EFI), 269, 299eXtensible Markup Language (XML). See XML

(eXtensible Markup Language)Extensible Messaging and Presence Protocol (XMPP),

430, 436external FireWire disks, 300

FFast User Switching, 362federation, 435–436File Sharing pane. See also file sharing services

access to share points in, 329–331ACLs in, 337–339adding share points in, 325–327configuring network mounts in, 363default share points in, 325deselecting, 124in Edit Access to Services, 122enabling, 117exploring, generally, 324individual share points in, 327–328inheritance rules in, 345permissions in, 330, 338removing share points in, 325–327SACLs in, 125Time Machine and, 366–367, 372turning off, 137

Index 467

turning on, 119verifying share points in, 297

file sharing servicesaccess to share points in, 329–331ACEs in. See ACEs (access control entries)ACLs in. See ACLs (access control lists)adding share points in, 325–327AFP for. See AFP (Apple Filing Protocol)backups excluding system files in, 370–371case-sensitivity in, 374–375challenges of, 316–319cleaning up, 373, 376–377complex permissions in, 341–342configuring access to, 332–333Console for, 322–323default share points in, 325destinations in, 367–370file-system ACLs in. See file-system ACLs

(access control lists)folders in, 329–333globally unique IDs in, 337group IDs in, 336group membership in, 346groups in, configuring, 319–320individual share points, 327–328inheritance in, 343–345introduction to, 315local user access to, 93–95logs for, 375–376maintenance of, 321monitoring servers for, 321–322multiple groups in, 346nested groups in, 346network home folders in, 361–366network mounts for, 362–364ownership in, 333–335pane for. See File Sharing panepermissions in, generally, 333–335, 347planning, 319–323portability in, 345POSIX. See POSIXprecedence in, 347–348propagating permissions in, 345protocols for, 316–319, 336references on, 378–379removing sharing points, 325–327requirements for, 319restoring destinations in, 371–373review questions on, 379–381Server app starting and configuring, 320–321

share points in. See share pointsSMB. See SMB (Server Message Block)Storage pane for, 339–341summary of, 377–378testing, 320Time Machine. See Time Machinetroubleshooting, 374user IDs in, 336users, configuring generally, 319–320users, for network home folders, 364–366WebDAV, 316–319, 335

file-system ACLs (access control lists)configuring additional ACEs for, 357–361configuring, generally, 349configuring permissions, 351–357creating shared folders, 351creating users and groups, 350–351defined, 332generally, 347introduction to, 329precedence in, 347–348removing share points for, 349–350

File Transfer Protocol (FTP), 318Filter Computer Models, 288filters

for junk mail, 455, 457in NetBoot, 303–305, 308for viruses, 454–455

Finderfor access in folder hierarchies, 353AFP testing for SACLs in, 119–121cleaning up with, 376–377External Disks in, 300guest access in, 328inspecting Open Directory archives with, 225Kerberos tickets in, 220–221“MyNewWebsite” folder on, 388standard settings in, 329testing user account policies with, 214–215

firevault full disk encryption, 8firewalls, 137–138, 308FireWire, 300firmware, 299, 307First Aid tab, 78folders

badges for, 316configuring access to, 329–333hierarchies of, 349, 357–361network home. See network home foldersPOSIX ownership of, 334

468 Index

formatting drives, 5–6forward DNS records. See also DNS (Domain

Name System), 10–11FQDNs (fully qualified domain names)

in AFP, 402in DNS, 163of Lion Server webpages, 384for new websites, 386–391

FTP (File Transfer Protocol), 318Full Name, 90, 106fully qualified domain names (FQDNs). See

FQDNs (fully qualified domain names)

GGigabit Ethernet, 2global password policies, 211globally unique IDs (GUIDs), 337graphs

of CPU usage, 46–48, 130, 321monitoring server usage with, 321–322in Server app, 42–43

group IDs (GIDs), 336groups

in ACLs, 346–347for file sharing services, 319–320, 325, 350of local users. See groups of local usersmanageable preferences payloads for,

270–273managing. See Profile Managermultiple, 346nested, 346in Open Directory masters, 169preferences for users in, 273in Profile Manager. See Profile ManagerSACLs for, 117user accounts for, 92

groups of local usersassigning local groups to, 102assigning local users to, 99–101assigning to local users, 101–102creating, 98–99

guest accessin AFP, 328connecting, 120implications of, 330to share points, 317, 320in SMB, 328

guest-enabled share points, 328GUID Partition Table, 6GUIDs (globally unique IDs), 337

HHandshake Authentication Protocol, 209hardware addresses, 303–304hardware requirements for Lion Server, 2–3hardware requirements for NetBoot, 284hash passwords, 209home folders

configuring network mounts in, 362–364configuring users in, 364–366generally, 361–362in NetBoot, 286for network user accounts, 201share points and, 320

Host Name pane, 30–31, 35–36host names, defined, 8–9html (Hypertext Markup Language), 389HTTP (Hypertext Transfer Protocol)

disk images on, 293–294iCal on, 416, 428NetBoot on, 285–286port 80 for, 396, 402wikis on, 409

HTTPS (HTTP Secure)iCal on, 428port 443 for, 396, 402wikis on, 409

iiCal

accessing as user, 422–428adding locations, 420–422adding resources, 420–422configuring and starting, 417–420generally, 416–417location of data stores in, 406troubleshooting, 429

iChatAddress Book and, 443–444archiving, 432configuring users, 433–434federation, 435–436location of data stores in, 406managing generally, 429–431restricting users, 435setting up, 431troubleshooting, 438viewing service logs, 437–438

IDsfor Apple. See Apple IDsEthernet, 269, 274–275

Index 469

globally unique, 337for groups (GIDs), 336for images, 287International Mobile Equipment Identities

(IMEIs), 269, 274–275for mobile devices (MEIDs), 269, 274–275for users. See user IDs (UIDs)

images. See also NetBootconfiguring, 300–302configuring to serve, 297–298creating, 287–293default, 293protocols for, 293–294restoring, 303types of, 288–289

Images pane, 293IMAP (Internet Message Access Protocol), 447IMEIs (International Mobile Equipment

Identities), 269, 274–275importing

formatted lists of users, 108–110Lion Server settings, 52–53signed SSL certificates, 70–71text lists of users, 110–116users with Workgroup Manager, 102–104

incoming email, 406, 454–456indexes of images, 287index.html files, 389, 396individual software updates, 310–311inheritance

in ACEs, 337in ACLs, 343–345permissions in, 341–342

“Install OS X Lion,” 290–291installation

of image files, 288–289Install Software pane for, 13of Lion Server. See installation, Lion Serverof profiles, 277of Server Admin Tools 10.7, 44–45of Software Update, 54–56of VPN Profile, 140–144

installation, Lion ServerDNS records in, 10–11empty volumes in, 14–15firevault full disk encryption, 8formatting drives for, 5–6generally, 1, 3hardware requirements for, 2Lion Recovery and, 78log inspection and, 76–78manual IPv4 address configuration, 9–10

networking in, 2partitioning disks in, 6–8RAID (Redundant Array of Independent Disks), 8references on, 80–81remote configuration in, 5–6review questions on, 81–83scenarios for, generally, 8–9Server app in, 12–13server components for, 9–13server components on Snow Leopard servers, 14summary of, 78–79system requirements for, 3–6troubleshooting, 76–78

instant messages. See iChatInternational Mobile Equipment Identities (IMEIs), 269,

274–275Internet Message Access Protocol (IMAP), 447Internet Service Providers (ISPs), 449–450invitations, 418–422, 426, 428iOS devices

locking, 269manageable preferences payloads for, 270–273managing settings on, 249–250permissions and, 335Profile Manager and, 254User Profile Portal for, 256

IP addresses. See also IPv4 addressesconfiguring Open Directory replicas and, 179DNS records and, 163–164introduction to, 19of Lion Server webpages, 384in NetBoot, 285–286, 307for new websites, 386–391, 396in Open Directory, generally, 226–227of Open Directory replicas, 175–177updating DNS service and, 238

iPhonesfile sharing services on, 317iCal and, 417, 428User Profile Portal for, 256

iPod touch, 417, 428IPv4 addresses. See also IP addresses

configuring, 9–10in Lookup, 11manually assigned, 8–10for VPN clients, 139

ISPs (Internet Service Providers), 449–450

JJabber, 430–436, 443journaled formats, 6junk filters, 455–456

470 Index

KKDC (Key Distribution Center). See Kerberos KDC

(Key Distribution Center)Kerberize Services. See also Kerberos

in binding to Open Directory servers, 187defined, 219–220importing network user accounts and, 208

Kerberosbinding to other directory services with, 162binding to other Open Directory servers via,

187–188definition of terms for, 219–221KDC in. See Kerberos KDC (Key

Distribution Center)for Open Directory masters, 160–161for Open Directory, generally, 155for Open Directory masters, 170for Open Directory replicas, 180password policies in, 216restoring Open Directory data via, 230Server Log, 233–234for single sign-ons, 219tickets in, 219–221troubleshooting, 235–236

Kerberos KDC (Key Distribution Center)archiving, 222for authentication, 156defined, 219–220for Open Directory, generally, 209for Open Directory log files, 233for Open Directory replicas, 174for restoring Open Directory data, 226–227

Key Distribution Center (KDC). See Kerberos KDC (Key Distribution Center)

Keyboard pane, 23keyboards, 52Keychain Access

remembering credentials in, 40in SSL certificate configuration, 60–63verifying trusted CAs with, 72–75

Keychain Secure Note, 224keychains, 172–174, 197Keynote, 317keyword searches, 432kiosks, 283“known good” logs, 147

LL2TP (Layer 2 Tunneling Protocol), 137Launchpad

Console in, 146, 322in Dock, 10

Network Utility in, 164, 175, 242opening, 12Server Admin in, 44–45Server app in, 21Server Status Dashboard Widget in, 57System keychains in, 172TextEdit in, 110, 354, 371Workgroup Manager in, 104

Layer 2 Tunneling Protocol (L2TP), 137LDAP (Lightweight Directory Access Protocol)

Address Book and, 439archiving databases in, 222binding to directory servers in, 287configuring servers remotely with, 190–191connecting to directories in, 235iCal and, 417logs in, 233–234for Open Directory data restoration, 226–227,

229–230for Open Directory, generally, 155–156for Open Directory log files, 233for Open Directory replicas, 174, 178per-user directory password policies and, 211populating directories in, 193–194Search Base, 170Server, 170, 180, 230shared databases in, 227

libraries, 274–277, 283license agreements, 25, 301Lightweight Directory Access Protocol (LDAP). See

LDAP (Lightweight Directory Access Protocol)limited administration privileges. See also

administration privileges, 128–133Linux, 318Lion. See OS X LionLion Recovery, 78, 288Lion Server. See OS X Lion Server“Lion Server: Installation requires Internet access,” 9“Lion Server: Installing Lion Server on a blank

volume,” 14“Lion Server: Mass deployment strategies,” 15“Lion Server Upgrading and Migrating,” 14Local Admin

authenticating as, 98defined, 95UID of, 104

local administratorswith guest access, 120Local Admin for. See Local Adminlocal users as, 93–97

local directories, 197

Index 471

local directory domains, 88local users. See also user accounts

access to services and files by, 93–95assigning local groups to, 101–102assigning local groups to local groups of, 102assigning to local groups of, 99–101configuring with Server app, 93confirming administrator status of, 96–97creating with Workgroup Manager, 106–107disabling accounts, 210–211exporting with Workgroup Manager, 107–108granting administrator status to, 95–96groups of, creating, 98–99importing with Workgroup Manager, 108–110limited admin privileges of, 131monitoring services, 130removing admin status of, 97–98in SACLs for AFP, 118–120in SACLs for SMB, 123in SACLs in Server app, 121–126Server app for, 89–93, 121–126Server Assistant options and. See Server Assistantin VPN Connection pane, 143

locales, 157–158location of software updates, 309locations in iCal

accessing, 426adding, 421–422of user accounts, 428

locks, 262, 307logical port values, 387login

disabling, 212keychains, 68password policies and, 214–217remote, 26, 117troubleshooting, 233, 235

Login Options, 183, 193, 235Login Shell, 91login windows

for authentication, 86–87for authorization, 87configuring, 19Lion Recovery and, 78for Open Directory, 235on other computers, 89shaking, 87

logsfor email, 457in iChat, 432, 437–438import, in Console, 146inspecting, 76–78

in NetBoot, 306–307in Open Directory, 233–234in Profile Manager, 277server, 307for VPN services, 147–148

long names, 90Lookup

configuring Open Directory replicas with, 175–177for DNS, 163introduction to, 1–3, 10–11

MMac App Store

Lion from, 14, 291Lion Server from, 3, 12, 15Server app from, 20, 82software updates from, 17

Mac computersas administrators. See administrator computersinstalling Lion Server on empty volumes, 14–15installing Server app on, 12–13, 15remote configuration on, 4–5requirements for Lion Server on, 2–3scenarios for installing Lion Server on, 8–11Snow Leopard updating, 3verifying system requirements on, 3–4

MAC (Media Access Control) addressesof computers in NetBoot, 301, 303of servers, 5, 22of target computers, 20, 301

Mac OS X. See also OS X Lioncomputer names in, 34, 49Lion Recovery and, 78Setup Assistant in, 61versions required, 2

“Mac OS X: About file system journaling,” 6Mac OS X Extended (Journaled), 6–7Mac OS X Lion. See OS X LionMac OS X Server. See OS X Lion ServerMac OS X Server 10.7. See OS X Lion Server“Mac OS X Server v10.6: Moving an HFS+ Journal

to a different volume,” 6Mac OS X Snow Leopard. See Snow LeopardMail eXchange (MX) servers, 446, 448mail services. See also email

enabling, 448–449generally, 445–447quotas in, 453–454troubleshooting, 457

maintenance of file sharing, 321maintenance of Lion Server, 1Manage Network Accounts, 165–168

472 Index

manageable preferences payloads, 270–273management

of computers with NetBoot, 282–289of network user accounts. See network user

accountsof user accounts. See Profile Managerof websites, 386

mandatory PDFs, 281manual IPv4 address configuration, 9–10Master Boot Record, 6MDM (Mobile Device Management), 249–251Media Access Control (MAC) addresses. See MAC

(Media Access Control) addressesMEIDs (mobile equipment identifiers), 269, 274–275Microsoft Active Directory, 417Microsoft Challenge Handshake Authentication Protocol

(MS-CHAPv2), 209mobile devices, 249–251modules, 383–384monitoring

clients in NetBoot, 305–307Lion Server. See monitoring Lion Serverservers, 321–322services, by local users, 129–130services, limited admin privileges for, 130web services, 399–402

monitoring Lion Serverintroduction to, 1moving service data to different volumes in, 58–59with Server Admin, 45–47with Server app, 39–43Server Status Dashboard Widget for, 56–58Software Update for, 54–56tools for, generally, 39

mounted share points, 316mounted volumes, 290mounts, 362–364mouse, 52MS-CHAPv2 (Microsoft Challenge Handshake

Authentication Protocol), 209multicast streams, 303multiple computers. See also NetBoot, 283multiple groups. See also groups, 346Multiple Networks Detected pane, 28multiple users. See groupsMX (Mail eXchange) servers, 446, 448

nN key, 293, 299–300names

of accounts, 90, 92computer, 34–35

DNS for. See DNS (Domain Name System)domain, 386–389full, 90, 106fully qualified domain. See FQDNs (fully

qualified domain names)host, 8–9, 30–31, 35–37long, 90service, 52short, 90, 105–107

NAT (Network Address Translation), 437nested groups, 346nested replicas, 157Net Restore, 289NetBIOS, 317NetBoot

configuring clients in, 299–300configuring images in, 300–302configuring servers for, 296–298configuring service to images in, 297–298creating images in, 287–293default images in, 293deployment issues and, 281–282Ethernet for, 3filtering clients in, 303–305hardware requirements for, 284home folders in, 286image types in, 288–289introduction to, 281as Lion Server service, 51managing computers with, 282–289monitor only access in, 131–133monitoring clients in, 305–307NetRestore images in, 303Network Install in, 289NFS for, 318protocols for images in, 293–294references on, 312review questions on, 312–313shadow files in, 294–295Software Update for, 308–311startup in, 284–286summary of, 312System Image Utility in, 287–293troubleshooting, 307–308, 311verifying share points in, 297

Nethomes folders, 363–366NetInstall, 284, 291–293NetRestore

configuring images in, 303default images in, 293introduction to, 284

Network Address, 32–34

Index 473

Network Address Translation (NAT), 437network disk images, 299Network File System (NFS). See NFS (Network

File System)network home folders

generally, 361–362network mounts in, 362–364share points and, 320users in, 364–366

Network Installimages in, 299introduction to, 284in NetBoot, 289

network mounts, 315, 362–364Network preferences, 235–236Network Time Protocol (NTP). See NTP (Network

Time Protocol)network traffic

encrypting, 59, 137–138, 317, 319firewalls and, 308NFS, 294patterns of, 321–322received, 144Server Admin monitoring, 48, 130Server app monitoring, 42–43SSL for, 396–399

network user accounts. See also user accountsdisabling, 210–211managing, generally, 193–194with Server app, 194–196, 202–208with Workgroup Manager, 196–202

Network Utilitybinding to other servers with, 183configuring Open Directory replicas with, 175–177confirming DNS records, 163–165introduction to, 10–11multiple OD servers, supporting, 242MX servers in, 446for network user accounts, 201–202

“New users may not have access to services,” 107NFS (Network File System)

disk images on, 293–294for file sharing services, 318in NetBoot, 285–286

No Access permissions, 330, 335, 336NT LAN Manager, 209NTP (Network Time Protocol)

in Kerberos, 235in Open Directory, 181in Time Zone pane, 29

OOffice, 281Open Directory

accessing log files in, 233–234Address Book and, 439another server, configuring to use, 182–188another server, connection to, 162–163another server, using generally, 158–159another server, using remotely, 188–193archiving data in, 221–224authentication in, generally, 209binding Lion to, 192–193configuring, generally, 165defined, 154–155disabling user accounts in, 210DNS records in, 163–165, 236–243generally, 153global password policies in, 215–219iCal and, 417inspecting archive contents in, 224–226introduction to, 51, 154Kerberos and, 219–221, 235–236locales in, 157–158Log in, 233–234masters in. See Open Directory mastersmultiple servers in, 236–243network user accounts in, generally, 193–196network user accounts, using Server app, 202–208network user accounts, using Workgroup

Manager, 196–202Password Server, 209per-user password policies in, 211–213preparing to configure, 159–165references on, 244–245replicas in. See Open Directory replicasrestoring data in, 221, 226–227review questions on, 246–247SACLs in, 124–125Server Admin for, 218–219, 227–233Server app for, 165–168, 194–196, 202–208service components of, 155–159single sign-ons in, 219–221single user account settings in, 213–214summary of, 243–244testing user account policies in, 214–215tools for configuring, 159–163troubleshooting, 233–236user account password policies in, 211–215user authentication in, 209–210Users & Groups preferences binding, 192–193Workgroup Manager for, 196–202

474 Index

Open Directory mastersarchiving data in, 222–224configuring, generally, 165configuring servers remotely with, 190–192configuring with Server Admin, 227–233configuring with Server app, 165–168effects of becoming, 168–174global password policies in, 216, 218iChat in, 435importing network user accounts, 203–205inspecting archive contents, 224–226introducing, 156network mounts in, 362–363network user accounts and, 194–196preparing to configure, 159–163Profile Manager and, 252replicas and. See Open Directory replicasrestoring data in, 226–227Server Admin configuring, 161–162

Open Directory replicasbinding Lion to, 192–193configuring, 174–182importing network user accounts, 202introducing, 156–157masters and. See Open Directory masterspreparing to configure, 162restoring, dangers of, 233

OpenLDAP (Lightweight Directory Access Protocol). See also LDAP (Lightweight Directory Access Protocol), 155–156

operating systems. See OS (operating systems)Option key, 299, 307optional ACLs (access control lists). See also ACLs

(access control lists), 333–334Organization pane, 28–29OS (operating systems)

installing Lion Server on, 6–8NetBook updating, 282NetBoot images and, 290OS X. See Mac OS X. See also OS X LionOS X 10.7. See OS X Lion Server

OS X. See Mac OS X. See also OS X LionOS X Lion.

Address Book on, 440–444DNS service on, 236–240local profiles on, 262manageable preferences payloads for, 270–273Open Directory for. See Open Directoryin Profile Manager, 265System Image Utility on, 290Time Machine on, 369–370

“OS X Lion: About Lion Recovery,” 78OS X Lion Server. See also specific services.

configuring. See configuration, Lion Serverexported files from, 151exporting users and, 103installing. See installation, Lion Servermonitoring. See monitoring Lion ServerNetBoot on. See NetBootOpen Directory in. See Open DirectoryProfile Manager on. See Profile Managerrequirements for, 2–3User Profile Portal for, 256web services of. See web services

OTA (over the air) device management, 251Others share points, 335outgoing email. See also email, 406, 449–450over the air (OTA) device management, 251Overview pane, 4–5, 321ownership in POSIX. See POSIXownership with SMB, 335

PPackages, 287parameter random-access memory (PRAM), 299Partition Map, 6partitions, 6–8passcodes, 269, 270–273Password Server

archiving databases in, 222authentication databases in, 156for authentication, generally, 209database in, 233for network accounts, 170for Open Directory replicas, 174, 180for restoring Open Directory data, 226–227, 230synchronizing with Kerberos, 216

Password Service, 233–234passwords

for Address Book, 445expired, 215–216exporting users and, 103firmware and, 307global policies for, 215–219for iCal, 423, 429for iChat, 438in Kerberos, 219–220login windows requiring, 86–87for multiple user accounts, 154for network user accounts, 197in Open Directory, 155, 167, 209per-user policies for, 211–213

Index 475

policies for, 211–215in production environments, 110remembering, 88Server Admin examining, 218–219single user, 213–214testing, 214–215troubleshooting, 235in VPN connections, 138for wikis, 416

payloadsencrypting, 138manageable preferences, 270–273in Profile Manager, 270–273

PDFs, 281per-image filters, 304–305Permission pop-up menu, 129–130, 132permissions

ACEs allowing, 337ACLs for. See ACLs (access control lists)ACLs vs., 347authentication and. See authenticationauthorization and. See authorizationcomplex, 341–342in POSIX. See POSIXpropagating in ACLs, 345protocols assigning, 336SACLs for. See SACLs (service access control lists)types of, 330, 336

physical network connections, 235PKIs (public key infrastructure), 59placeholders, 274–275plist (preference list), 301Podcast Composer, 44Podcast Producer, 51, 87POP (Post Office Protocol), 447portability, 345ports

for Address Book, 445for Apple software, 138iCal on, 429for iChat, 430, 438for new websites, 386–391security of, 396–398troubleshooting, 402for wikis, 416

POSIXACLs vs. permissions in, 347adjusting settings in, 321introduction to, 329ownership in, 330, 333–336permissions in, 333–336

precedence in, 347–348sharing protocols in, 336WebDAV and, 335

Post-Install Scripts, 287Post Office Protocol (POP), 447Postfix, 445PRAM (parameter random-access memory), 299precedence, 347–348preference list (plist), 301preferences for users, 273preferences payloads, 270–273Primary Zone, 237, 239–241printers, 154private keys, 59, 61Profile Manager

configuring, generally, 251delivering profiles in, 268–269device accounts in, 269, 274–275device group accounts in, 269, 274–277enabling, 253–256enrolling devices in, 278group accounts in, 269installing profiles in, 277introduction to, 249–250manageable preferences payloads in, 270–273management levels in, 251managing profiles locally, 262–263Mobile Device Management in, 251Open Directory masters and, 159preferences for user groups in, 273preparing to configure, 252references on, 278remotely locking or wiping devices, 269review questions on, 279Software Update Service vs., 311summary of, 278terminology in, 252troubleshooting, 277–278user accounts in, 269User Portal in, 251User Profile Portal in, 256–262using, 263–268viewing logs in, 277viewing profiles in, 277web app in, 250, 263

Profile, VPN, 140–145propagation of permissions, 345protocols. See also specific protocols

for file sharing services, 316–319, 336for images in NetBoot, 293–294for permissions, 336for share points, 317

476 Index

public keys, 59, 61Public share points, 325, 327–328push certificates, 252push for profiles, 269push notifications, 254, 416

rRADIUS, 51RAID (Redundant Array of Independent Disks), 8RAM, 284Read & Write permissions

in file sharing services, 330in folder hierarchies, 349–352in POSIX, 335–336

Read Only permissionsfor Everybody, 384in file sharing services, 330–331in folder hierarchies, 349in NetBoot, 285in POSIX, 335for websites, 392for Wiki Group, 412for wiki users, 413

Read permissions, 341–342, 392realms in Kerberos, 219, 229Recovery HD, 78Redundant Array of Independent Disks (RAID), 8Region pane, 23Registration Information pane, 25relays, 157remote configuration, 5–6, 20–23remote devices, 262remote Lion Servers, 52Remote Management, 260“Remote Setup In Progress,” 23removal

of profiles, 262–263of reverse DNS zones, 231–232, 236–240of unused services from Server Admin, 136–137of VPN Profile, 144–145

Repair Disk, 78resources, 421–422, 427restart computers, 295restoration

of files with Time Machine, 371–373of image files, 288of Open Directory data, 221, 226–227

restriction of iChat users, 435reverse DNS records. See also DNS (Domain Name

System), 10–11, 239–241Review pane, 38

ROM (read-only) memory files, 285–286root certificates. See also certificates, 258

SSACLs (service access control lists). See also ACLs

(access control lists)administering services in, 131administering specific services only in, 131–133AFP in, 118–121authorization in, 116–117binding to Open Directory servers, 187–188binding to other directory services, 162–163cleaning up, 133–136for collaborative services, 406configuring generally, 117–118creating new users in, 126–127defined, 85editing, 332–333File Sharing and, 119, 137GUIDs in, 337inspecting in Server Admin, 125–128inspecting in Server app, 121–125limited admin privileges in, 129–138modifying with Server app, 125monitoring services in, 130network user accounts in, 196, 201, 208for Open Directory masters, 160, 170–171removing unused services and, 136–137for SMB, 123troubleshooting, 145Workgroup Manager for, 126–127

SafariApache error logs and, 400creating new websites in, 390enabling and disabling websites in, 384–385SSL certificates in, 73SSL websites in, 397web mail in, 451–453website access in, 393, 395wikis in, 408–415

safety videos, 281Screen Sharing

cleaning up with, 377confirming DNS records in, 163–165importing network user accounts in, 202inspecting file-sharing logs in, 375–376inspecting Open Directory archives in, 224–226multiple Open Directory servers in, 241–243Open Directory replicas in, 172–174other Open Directory servers in, 183in Server Admin, 53–54

Index 477

Secure Shell. See SSH (Secure Shell)Secure Sockets Layer. See SSL (Secure Sockets Layer)security

in configuring servers remotely, 191time sensitivity in Kerberos, 220of websites, 396–399

self-signed SSL certificates, 39–40, 63–68Server Admin

archiving Open Directory data with, 222–224binding to Open Directory servers with, 186–188cleaning up authorization with, 133–136configuring NetBoot servers with, 296–298configuring NetBoot with, 291–293configuring Open Directory masters with, 159–

161, 170, 227–233configuring Open Directory replicas with, 162,

177–181configuring Open Directory with, 161–162configuring services with, generally, 45–47creating SACLs for SMB with, 123default images and protocols in, 293–294defining Open Directory locales with, 157–158Diskless checkbox in, 295editing SACLS in, 332exporting settings with, 52–53general settings in, 47–50hardware addresses in, 303importing network user accounts with, 207–208importing settings with, 52–53inspecting SACLs with, 125–126, 127–128installing, 44–45introduction to, 39limited admin privileges in, 129–133local users in, 129–131logs in, 76, 78monitoring Lion Server with, 45–47multiple Open Directory servers with, 236–240NTP services in, 181Open Directory log files in, 233–234Open Directory masters in, 156Overview pane in, 4–5, 321–322password policies in, 211, 214–215per-image filters in, 304–305removing unused services from, 136–137restoring Open Directory data with, 226–227for SACLs, 117Screen Sharing app in, 53–54Software Update in, 54–56Software Update Server in, 308–311

System Image Utility in, 287, 290working with services in, 50–52

Server appfor access in folder hierarchies, 350adding users to SACLs with, 102, 105Address Book in, 439–440Allow or Deny in, 347binding servers to Open Directory with, 158binding to Open Directory servers with, 182–186binding to other directory services with, 162cleaning interfaces with, 376–377configuring administrator accounts with, 92–93configuring administrator computers with, 15–20configuring file sharing users with, 319–320configuring Lion Server with, generally, 1configuring local user accounts with, 93–102configuring Open Directory masters with,

159–160, 165–168configuring Open Directory replicas with, 175configuring services to use certificates, 71–72configuring user accounts with, 89–92configuring Virtual Private Network with, 138–140connecting to Lion Server with, 39–43creating new users in SACLs with, 126–127creating self-signed SSL certificates with, 63–68Directory Utility in, 188–192Edit Access to Services in, 122editing SACLS in, 332Enable Webmail in, 451enabling File Sharing in, 117enabling Profile Manager in, 253enabling Wiki service in, 407–410File Sharing pane in. See File Sharing panefile sharing services in, 319–321global password policies in, 216–218granting administrator status with, 92–93home folders in, 364–366for iCal, 417, 420–422for iChat, 431, 435importing users from text files with, 103inspecting file-sharing logs with, 375–376inspecting network user accounts with, 200–202inspecting SACLs with, 121–125installing, 9, 12–13, 15Logs pane in, 76–78Mail service in, 448–449, 453–454maintenance tasks by, 321Manage Network Accounts in, 165–168managing websites with, 384–385

478 Index

modifying SACLs with, 125monitoring Lion Server with, 41–43moving service data to volumes with, 58–59network user accounts in, 194–196, 202–208password policies in, 211remote Lion Server configuration with, 20–23Software Update in, 54–56SSL websites in, 397–398Stats pane in, 321Storage pane in, 339–341Time Machine access with, 367troubleshooting with, 145–148turning File Sharing off with, 137turning File Sharing on with, 119verifying share points with, 297verifying website folder access with, 392–394web services in, 385

Server AssistantAdministrator Account pane in, 25–27Airport Management pane in, 37Apple ID pane in, 24–25Computer Name in, 34–35confirming DNS records with, 163Connecting to Your Mac pane in, 31–36creating DNS zones with, 239–240creating SACLs with, 118–119DNS service in, 50Host Name pane in, 30–31, 35–37introduction to, 23Keyboard pane in, 23License Agreement pane in, 25Multiple Networks Detected pane, 28Network system preferences in, 32–34Organization pane in, 28–29Region pane in, 23Registration Information pane in, 25remote Lion Server configuration with, 26Review pane in, 38Thank You pane in, 38–39Time Zone pane in, 29–30Transferring an Existing Server pane in, 24Xsan pane in, 27

Server Message Block (SMB). See SMB (Server Message Block)

Server Monitor, 44Server pane, 24server-side scheduling, 417Server Status Dashboard Widget, 56–58servers

additional, 158–159, 162–163, 182–188administration of. See Server Admin

application for. See Server appassistance for. See SACLs (service access

control lists)cleaning up authorization on, 133–136components of, 9–14configuring for NetBoot, 296–298Directory Utility for, using remotely, 188–193filtering, 308NetBoot impacting performance of, 286–287

Servers list, 46–47service components, 155–159service data storage, 58–59service logs, 437–438Service Name button, 52Services list, 51Setup Assistant, 61shadow files

defined, 285of images, 294–295troubleshooting, 307

shadow passwords, 209share points

access with, 329–333adding and removing, 325–327configuring individual, 327–328creating, generally, 323default, 325defined, 315File Sharing pane for, 324–328with Guest access, 120for local administrators, 120mounted, 316in NetBoot, 286, 297network home folders on, 362protocols for, 317, 320, 323Server app for, 320

shared directory services. See Open Directoryshared folders

access in, 351configuring access to, 329introduction to, 325permissions for, 334POSIX for, 336

Shared Item folders, 326, 367shared LDAP databases, 227shared LDAP directories, 193–194, 227shared secrets, 138–139shareware, 281Sharing preferences pane, 17short names, 90, 105–107Show Profile, 267

Index 479

signed certificates. See also SSL (Secure Sockets Layer) certificatesCode Signing certificates, 255importing, 70–71self-signed, 39–40, 63–68signing requests for, 68–70

Simple Mail Transfer Protocol (SMTP). See SMTP (Simple Mail Transfer Protocol)

single sign-ons, 219–221Sites folder, 384SMB (Server Message Block)

authentication and, 87case-sensitivity in, 375creating SACLs for, 123defined, 316–318disabling, 323guest access for, 328inspecting SACLs for, 126–128POSIX for, 335–336SACLs for, generally, 117for share points, 320–321

SMTP (Simple Mail Transfer Protocol)introduction to, 446outgoing email, 449–450for web mail, 457

Snow LeopardServer Admin Tools on, 45server components on, 14Time Machine on, 366upgrading existing Macs with, 3

Software Update Service. See SUS (Software Update Service)

Sort Access Control List Canonically, 348SpamAssassin software, 455Spamhaus Project, 455–456sparse disk images

archiving data with, 222, 225restoring data with, 231–232

SSH (Secure Shell)configuring SACLs for, 117–118in Open Directory masters, 171–172restoring original SACLs in, 135

SSL (Secure Sockets Layer), 396–399, 407SSL (Secure Sockets Layer) certificates

for Address Book, 420, 439binding Lion to Open Directory and, 193binding to other servers and, 184Certificate Signing Requests for, 68–70creating self-signed, 63–68default, 61–63for iCal, 420

for iChat, 431, 436importing signed, 70–71introduction to, 59–61for new websites, 397–398in Open Director masters, 160Profile Manager and, 252services using, 71–72trusting, 39–40, 72–76for web mail, 451, 457for wikis, 408–409

Standalone Directory, 178standalone servers, 161–162, 226–227startup delays, 235Startup Disk pane, 287, 299–300startup, in NetBoot, 284–286, 299Startup Manager, 299startup volumes, 285–286, 295Statistics, 43Stats pane, 321storage of shadow files, 295Storage pane

adjusting settings over time, 321introduction to, 41–43in Server app, 339–341

Store Site Files In, 387, 389, 396streams, multicast, 303subnets, 157SUS (Software Update Service)

configuring computers for, 311individual updates in, 310–311for monitoring, 54–56for NetBoot, 308–311Profile Manager vs., 311Server Admin and, 54–56troubleshooting, 311updating with, generally, 54–56

System Administrator, 329System Configuration Settings, 287System CPU, 42System Image Utility

Automator Library and, 301creating images with, 287–293image types in, 288installing, 44introduction to, 281–282for NetBoot, 290–293

System Information, 5System keychains. See keychainsSystem Preferences

binding Lion to Open Directory with, 192–193introduction to, 17–20

480 Index

managing profiles locally with, 262Profile Manager web app and, 267–268Startup Disk pane in, 287, 299–300Time Machine on, 369, 373

system requirements, 3–6

TT key, 300Target Disk Mode, 293, 300TCP (Transfer Control Protocol), 138, 318Terminal app, 322–323test networks, 15–16text messages. See iChatTextEdit

in Launchpad, 371for new websites, 388, 396in Workgroup Manager, 108, 110–112

TextImport, 113–116TFTP (Trivial File Transfer Protocol), 285–286TGT (Ticket Granting Ticket), 220Thank You pane, 38–39tickets in Kerberos, 219–221, 235–236Time Machine

backups in, 370–371configuring destinations in, 367–368introduction to, 366–367on Lion computers, 369–370restoring destinations in, 371–373

time sensitivity, 220–221Time Zone pane, 29–30timestamps, 181, 235traffic. See network trafficTransfer Control Protocol (TCP), 138, 318Trash, 371–372Trivial File Transfer Protocol (TFTP), 285–286troubleshooting

Address Book, 445file services, 374iCal, 429iChat, 438Lion Server installation, 76–78mail services, 457NetBoot, 307–308, 311Open Directory, 233–236Profile Manager, 277–278SACLs, 145Software Update, 311user accounts, 146–147VPN service, 147–148Wiki service, 416Workgroup Manager, 107–108

trusted CAs (Certificate Authorities). See also CAs (certificate authorities), 72–76, 172–173

trusted profiles, 257–258, 277–278trusted SSL (Secure Sockets Layer) certificates. See also

SSL (Secure Sockets Layer) certificatesfor binding to Open Directory, 193configuring, 59–61for Open Directory servers, 184verifying, 40

UUDP (User Datagram Protocol), 138UIDs (user IDs). See user IDs (UIDs)UNICODE, 317UNIX, 318updates for software. See SUS (Software Update Service)URLs, 311, 317, 384user accounts

access of, 86–87administering, generally, 88Advanced Options for, 90–91authentication of, 209–210configuring with Server app, 89–92creating with Server app, 126–127creating with Workgroup Manager, 104–107,

126–127disabling, 210email, 450, 453–454formatted lists of, 108–110global password policies for, 215–219in iCal, 422–428in iChat, 433–435IDs for. See user IDs (UIDs)Kerberos defining, 219local. See local usersmanageable preferences payloads for, 270–273managing. See Profile Managernetwork. See network user accountsin network home folders, 364–366password policies for, 211–215per-user password policies for, 211–213SACLs for. See SACLs (service access control lists)Server Admin for, 218–219single user account settings, 213–214System Image Utility for, 287testing policies for, 214–215text lists of, 110–116troubleshooting, 146–147Workgroup Manager for, generally, 102–104

User CPU, 42

Index 481

User Datagram Protocol (UDP), 138user IDs (UIDs)

in ACLs, 336introduction to, 91–92of Local Admin, 104sorting user list by, 107in Workgroup Manager, 107

User Portal, 250–251, 268–269User Profile Portal, 256–262users. See user accountsUsers & Groups

binding to Open Directory with, 162, 182–185, 192–193

binding to other OD servers with, 208cleaning up authorization with, 135–136configuring administrator computers with, 19Directory Utility vs., 188limiting admin privileges for, 129Nethomes in, 364–365preferences in, 192–193system preferences in, 88troubleshooting, 235

Users panefor access in folder hierarchies, 350adjusting settings over time, 321editing SACLS in, 332iCal on, 417Time Machine access with, 367

Users share points, 325, 329“Using an Apple ID,” 120Utilities folders, 6, 10–11

Vverification

of folder access, 392of share points, 297of trusted certificates, 40, 72–76

Verisign, 69–74video conferences. See iChatView Document Root Contents, 387, 392views

of Apache log files, 399–402of default certificates, 61–63of Profile Manager logs, 277of Profile Manager profiles, 277of website parameters, 386–387

Virtual Private Network. See VPN (Virtual Private Network)

virus scans, 454–455

volumesboot, 406copying items in, 334installing Lion Server on, 6–7installing on empty, 14–15mounted, 290moving service data to new, 58–59in NetBoot startup, 285, 287RAID, 8service data on, 58–59in Time Machine, 367–368update packages on, 309

VPN (Virtual Private Network)configuring, 137–138installing, 140–144passwords in, 209removing, 144–145Server app for, 138–140

Wweb app in Profile Manager, 250Web-based Distributed Authoring and Versioning.

See WebDAV (Web-based Distributed Authoring and Versioning)

web mail. See also email, 451–453web services. See also collaborative services

Apache log files, 399–402introduction to, 383monitoring, generally, 399references on, 403review questions on, 403starting in Server app, 385summary of, 402troubleshooting, 402

WebDAV (Web-based Distributed Authoring and Versioning)inspecting logs in, 375–376introduction to, 316–319POSIX and, 335–336for share points, 320–321

websitesaccess to, 393–396basic concepts of, 384creating new, 388–391delivering profiles via, 269disabling, 384–385enabling, 384–385folder access by, 392–394managing, generally, 386

482 Index

parameters of, 386–387references on, 403review questions on, 403security of, 396–399SSL for, 396–399summary of, 402

well-known ports, 138Who Can Access, 387–389, 393–394, 396Wi-Fi, 284Wiki Group, 409, 412Wiki service

binding to other directory services, 162creating wikis in, 410–415data stores in, 406enabling in Server app, 407–410troubleshooting, 416

Wiki User, 410wikis. See also Wiki service, 406–407, 428Workgroup, 169–170, 194Workgroup Manager

creating new users with, 104–107, 126–128disabling user accounts with, 210–211exporting users with, 102–104, 107–108formatted lists of users in, 108–110global password policies in, 217–218

importing users with, 102–104installing, 44network user accounts in, 196–202password policies in, 211–214Profile Manager vs., 250–251restoring network users in, 232Server app vs., 194text lists of users in, 110–116troubleshooting, 147–148

Write Only permissions, 330Write permissions, 341–342

XXgrid, 44, 51XML (eXtensible Markup Language)

downloading profile preferences, 267exporting users in, 108in profiles, 250

XMPP (Extensible Messaging and Presence Protocol), 430, 436

Xsan, 27, 417

Zzones in DNS. See also DNS (Domain Name System),

236–241

OS X Lion Server Essentials -

Documents

Transcript of OS X Lion Server Essentials -